[FLI-1258] Allow passing GitHub 'claims'/metadata to Authz

[markphelps]

Problem

Re: https://community.flipt.io/t/restrict-access-to-feature-flags-per-teams/41/2?u=mark

We currently map OIDC authn claims to a claims field in the metadata that is passed to our authz engine (ie: https://docs.flipt.io/guides/operation/authorization/rbac-with-keycloak), however we don't provide similar functionality for GitHub auth.

The user in the above linked Community post would like to create authz policies based on the authenticated user's GitHub team membership

Ideal Solution

Provide a way to pass an authenticated GitHub user's data to our authz engine. It would be nice if it were similar to how we do it in OIDC using something like claims, although I realize GitHub user response doesn't have a field called claims so maybe we need to name it something else?

https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user

It also doesn't return the organization/teams of a user without doing another REST API call like we do to support Github allowed orgs/teams. But since we are already doing this at the authn stage, we could add this data to the metadata passed to authz.

Maybe we use something more generically named than claims for GitHub / other non-OIDC authn methods?

Search

• I searched for other open and closed issues before opening this

Additional Context

No response

_FLI-1258

[devumesh]

Hi @markphelps , I would like to work on this issue

[erka]

You are welcome @devumesh